In this article, we will look at how to change (reset) the password of one or multiple Active Directory users using the Active Directory Users and Computers graphical snap-in (ADUC), from the command line, or using the Set-ADAccountPassword PowerShell cmdlet.
Reset User Password with the Active Directory Console
You can use the dsa.msc
(Active Directory Users & Computers – ADUC) graphical snap-in to reset an Active Directory user’s password. Open the ADUC console and search for the user account for which you want to change the password. Right-click on it and select Reset password.
Enter a new password (twice). Here you can enable two options:
- User must change password at next logon – If you want the user to set himself a new password the next time he logs in;
- Unlock user’s account – enable this option if you want to unlock the user (if the account is locked by the AD security policy due to multiple login attempts with an incorrect password).
This is the easiest and most intuitive way to reset a domain user’s password.
To reset a user password, your account must have the appropriate privileges in the AD domain. By default, non-admin AD users cannot reset passwords of other accounts, and only members of the built-in Domain Admins and Account Operators groups have these rights.
You can grant other user groups permission to reset user passwords in specific OUs using Active Directory delegation. The link provides an example of delegating the permissions to reset passwords and unlock users to the HelpDesk group.
To check that your account has the permission to reset the password of a specific AD user, open its properties, go to the Security tab -> Advanced -> Effective Access -> specify the name of your account -> make sure that you have Reset Password permission.
How to Reset a User’s Password in AD Using PowerShell
You can use the Set-ADAccountPassword cmdlets to reset an Active Directory user’s password using PowerShell. This cmdlet is a part of the Active Directory for Windows PowerShell module (in the desktop Windows editions it is a part of RSAT). Import this module into your PowerShell session:
Import-module ActiveDirectory
To reset a password for the user jliebert and set a new password myP@ssw0rd112, run this command:
Set-ADAccountPassword jliebert -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “myP@ssw0rd112” -Force -Verbose) –PassThru
By default, the cmdlet returns the object and displays nothing in the console. To display the information about the user object in AD, you CAN use the –PassThru parameter.
You can specify sAMAccountName (as in our case), objectGUID, user’s SID, or a DN (Distinguished Name, e. g., CN=jliebert,OU=Users,DC=woshub,DC=com) as a user name.
If you don’t specify the –Reset parameter when changing a user password, you must manually input the old and new account passwords.
Set-ADAccountPassword: The password does not meet the length, complexity, or history requirement of the domain.
This means that the user’s new password has some complexity, length, etc. requirements defined in the domain password policy or fine-grained password policy the account is subject to.
You can get the resulting password policy settings for a domain user as follows:
Get-ADUserResultantPasswordPolicy -Identity jliebert
If you have the PowerShell command history enabled and you don’t want passwords to be displayed in the PoSh console as plain text, you must convert the password into a secure string in the same way as when creating a new user account:
$NewPasswd=Read-Host "Enter a new user password" –AsSecureString
You can now set a new password for the user:
Set-ADAccountPassword jliebert -Reset –NewPassword $NewPasswd –PassThru
When resetting a user password, you can force the account to unlock, if it was locked earlier (to find out from which computer the account is locked, read the article How to Find the Source of Account Lockouts in Active Directory?):
Unlock-ADAccount –Identity jliebert
To force a user to change his password the next time he logs in to the domain, run the following command:
Set-ADUser -Identity jliebert -ChangePasswordAtLogon $true
You can combine the password change command and the requirement to change the password (this is the userAccountControl object attribute) with the PowerShell one-liner:
Set-ADAccountPassword jliebert -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Using the Get-ADUser cmdlet, you can make sure that the password has been successfully reset and display the last date of the account password change:
Get-ADUser jliebert -Properties * | select name, pass*
When a password is reset, the EventID 4724 is registered on the domain controller (DC) security log. This event can help you identify the account that reset the user’s password.
Get-ADUser -Identity simonecole -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") }}
How to Change Password for Multiple AD Users with PowerShell
Above, we showed you how to reset the password of a single AD user using PowerShell. Now let’s look at another scenario where you need to change multiple users’ passwords at once.
For example, you want to reset the password of all employees in the Sales department to the same password and force them to change it the next time they log in. You can use the Get-ADUser –Filter command to select users with a specific value in one of the attributes:
get-aduser -filter "department -eq 'Sales Dept' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Let’s look at another example. Suppose, you have a CSV/Excel file that contains a list of users who need to reset their passwords and a unique password for each user. Here is the format of the users.csv file:
sAMAccountName;NewPassword acidicjustine;Pa$$w0r1 josephomoore;N$isory01 simonecole;k@32d3!2
You can reset a password for each user account in the specified CSV file with the following PowerShell script:
Import-Csv users.csv -Delimiter ";" | Foreach {
$NewPass = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPass -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}
After this code is executed, a new unique password will be set for all AD users in the file.
Changing Domain User Passwords from the Command Line
If you don’t have the ADUC console or the RSAT-AD-PowerShell module installed on your computer, you can reset the domain user password with the net use console command. To get information about a domain user, run the command:
net user jliebert /domain
The command line shows basic information about the user’s password properties in the domain:
Password last set 4/22/2022 2:15:15 AM Password expires Never Password changeable 4/23/2022 2:15:15 AM Password required Yes User may change password Yes Last logon 4/22/2022 2:48:12 AM Logon hours allowed All
To reset this user’s password, run the command:
net user jliebert /domain *
Enter a new password and confirm it:
Type a password for the user: xxxx Retype the password to confirm: xxxx The command completed successfully.